Synology MailPlus Server – End-to-End Solution

Version 1.3 – 01 Mar 2018. This process has been tested in a live installation but is only a guide – there may be variances in your environment that require different solutions.

Before you start

Before you start installing anything, you should have read and implemented the steps laid out in the Getting Started guide. Please also read this guide thoroughly before you start.

Like all things in life, it’s easy when you know how and difficult when you don’t. This is never more true than in the case of email systems.  In a previous article we looked at installing MailPlus Server with a 3rd Party Relay Agent to do the heavy lifting.  In this article we are going see how to install Synology MailPlus Server as a Synology end-to-end solution, with no 3rd party relay servers.   This introduces a lot more complexity.

I couldn’t properly understand the subject without a visualisation so I created a diagram that shows roughly how it all fits together.  Note: It’s like the map of the London Underground – what’s shown on the map isn’t intended to reflect the above ground geography because that would make it much harder to read.

For clarity, I have shown the MailPlus Server and MailPlus client twice, on the left and the right of the chart.  Originally I showed all the services on one set of boxes, and it was very difficult to figure out what was incoming and what was outgoing.

The numbered circles correspond with explanatory notes and installation guides in the expanding sections beneath the diagram.

The Synology MailPlus app is a browser based UI where the user sends, receives and monitors mail. There are mobile apps too, on the appropriate stores.  But other clients such as Outlook, Thunderbird and Windows 10 Mail can be used as described in this Synology Knowledge Base article. 

Installation of MailPlus is simple so it won’t be covered here, except for this tip… 

Tip: MailPlus should be installed after MailPlus Server has been configured. Then it can obtain some parameters from the server and simplify user setup.
SMTP Authorisation is used to ensure that only messages from legitimate users are placed into the mail queue.

SMTP setup is pretty straightforward and the options on the following screen are mostly self explanatory.

Home users should take a look at some of the settings with numeric values because the defaults may be high for that purpose. 

(1)Mail attachments are still limited to 2Mb on some very old systems, with 10Mb being a sensible limit. If you’ve got a Synology box, then sending shared links makes sense – just in case the recipient has email limits such as a 200Mb mailbox:

Synology have placed some Security options in this section instead of the security section.  No, I don’t know why either.  So set them up while you’re here:

When the user presses Send, MailPlus Server  will make a DNS request for the IP address associated with the domain name  so that the recipient’s mail server can be located.  If an IP address is found, the message is dispatched to that server.

If no IP address can be found for the recipient’s mail server the MailPlus Server will queue the item and attempt to redeliver it, in case the receiving server is temporarily unavailable.  The user will be advised of the delay from time to time. If successive resends fail  the mail is returned to the sender with a covering message.

To enable the IP validation process to work in the other direction, you need to adjust two domain DNS settings – the A and MX records. 

Your domain name host will have provided you with access to a control panel where these settings can be found.  Each provider’s pages will look different but do essentially the same thing.

At (1) enter the static IP address assigned to your router

The value entered at (2) depends on your circumstances.  If your domain host and your ISP are the same company, then you should enter your FQDN usually “mail.”<domain name>.  If your domain host and ISP are different, it’s best to enter the domain associated with your account by your ISP when you signed up, in my case p*********.plus.com.  This is because some email servers validate incoming mail by comparing the sending domain to the domain recorded against the IP address, and may treat a mismatch as a warning sign.

Once you have completed this step you have to be to be patient because it can take up to 48 hours for the changes you made in your control panel to propagate across all the DNS servers around the world.  In practice it’s always much quicker than that.
The user name of the incoming mail will be matched to the mail server’s user list or aliases.  If a match is  not found, the mail will be returned to the sending mail server which delivers it back to the sender with a covering message that there is no such user at that domain.

If the user name is valid the mail will be subject to scanning by the receiving server for viruses, spam and other malicious content.  We are not concerned with how that is performed or what level of scanning is applied.  That is their responsibility.  We will be looking at our inbound filtering later.

Useful Link: Synology Help Article – Receiving Mail from External Services.

1) SMTP is only used for “SENDING” emails, either from the mail client or from the MailPlus server to someone else.

2) IMAP is only used to synchronise a Mailbox with multiple devices such as Thunderbird and Android or iOS devices.

3) POP31 is now rarely used for general email as it was designed to only transfer email from one server to one email client (when people only had an office PC and storage on the mail server was expensive, it made sense to transfer the emails to the user and delete them from the server)

If you need to receive mail from another service, such as Gmail the simplest solution is to set up a forwarding rule on that service to send a copy of any incoming mail to your domain account. Once it arrives on the server it will be managed using IMAP. 

At first you might want to leave a copy of the incoming message on Gmail so that you can double check all incoming mail is being received, but that mailbox will not reflect the items you delete and reply to, so it’s value as a backup is limited.  Later, you can easily change the Gmail forwarding rule to delete the mail after it has been forwarded.

1By the way, you may be wondering why I have shown the IMAP/POP3 protocols against the recipient’s mail server instead of our MailPlus Server where we need to implement them.  The answer is simple – for clarity in the diagram.  It would have seriously confused things if I had added them to the MailPlus boxes on either side.  This is why I described the diagram as like the London Underground map – designed to help you understand what’s happening underground, but not what it looks like above ground.

The reply process is  the same as MailPlus Server used to dispatch the original mail so there’s nothing to add. It all starts to happen when the incoming mail arrives at the MailPlus Server when it is subjected to a raft of tests
With the release of MailPlus Server 2.0.0-0522 Synology replaced SpamAssassin with Rspamd

At the time of release of MailPlus Server 2.0.0-0522 there is some uncertainty about SpamAssassin rules, because that capability is still in the product.  It’s unclear whether this is an oversight or whether SA rules work with Rspamd.  For now, I have left the instructions as they were.  I will update this article when I know the outcome.  In the meantime, you can proceed with the setup and just ignore the references to SA rules.  In all other respects, Spam filtering setup is the same.

The MailPlus Server in-app help, accessible from the spam setup screens is very good so please refer to it for more information.

Synology have done a good job of integrating the SA tool-set into MailPlus Server and have reduced what could be a very cumbersome and difficult to maintain task into a reasonable number of steps which, unless indicated to the contrary, are one-off setup tasks:

  1. Find and import additional spam filtering rules
  2. Set rules update schedule
  3. Enable Auto-learning
  4. Set spam trigger levels (tweak periodically)
  5. Enable spam reporting
  6. Set daily schedule
  7. Enable postscreen protection
  8. Enable greylist (one off, but only after auto-learning has been running for a while)

Number 1 on the list is the most time consuming but Synology have made that easier by providing a link to a website from where rules can be obtained, although they have buried it in the in-app help file rather than putting it directly on the screen where you need it.  Some of the rule-sets require a bit of detective work to find.  For example, the Malware Block List is one of the most detailed filters there is (over 330,000 lines long) but you have to dig deep to find it.  To help you, here is the sign-up link for the free home version.

Beware of MalwarePatrol.cf. On my installation this set of rules stopped ALL mail from flowing in and out of MailServer Plus. It took a painful process of turning on each MailPlus Server setting one by one to find the problem. You could try installing it to see if it works for you. It’s easy to delete it if you have the same problem. The file is 330,000 lines so debugging it was not an option for me.

These rule-sets add extra filters to complement the basic filtering performed by SpamAssassin.  They are plain text files with a .cf extension.  In many cases a filter’s site doesn’t provide a .cf file to download.  Instead you have to copy the plain text from their page and paste it into a new text file that you give a file name and .cf extension.  Then you import it into MailPlus Server.  It is also slightly strange that several of the first entries on the page are dead links.  It may be that new rule sets are added to the end of the page, and those at the top go stale without being removed. 

Some rule sets carry a warning that they should not be used because of memory overheads.  Given that these rule sets are primarily designed for commercial servers, they should definitely be avoided on a relatively low powered device like a NAS.

Custom rule sets can be defined but that should be left for another time, if at all.  SpamAssassin’s site says that this should only be necessary if the profile of your mail traffic is outside the norm.  The existing rule sets cover most eventualities.  If you need to create a custom rule there’s a link to an instruction site in the in-app help page.

As a starting point, I enabled all of the items except Greylist, which will be turned on later after auto-learn has been running for a while (as advised in the Help System.)

The Anti-Spam settings defaults were also accepted:

SpamAssassin rules were added, sourced from the website provided in the in-app help system.  As described above, I did not install MalwarePatrol.cf

Auto learning was enabled using the default settings which may need to be tweaked based on live results.

I encountered a problem with reporting (1). For some reason forwarded spam and false spam have to be reported to two different email addresses.  Because I didn’t want to dedicate a precious licence to this, I tried to use aliases but because they resolve to the same named account, the system would not accept them.  For now I have disabled that facility.

Default DNSBL settings were accepted because spamhous.org is widely recognised as an authoritative source:

AV doesn’t need much explanation.  I run AV at all points of entry to my DiskStation, and email is one of these.  There are two options for AV engine, ClamAV (free) and McAfee (subscription).  Though I had never heard of ClamAV before I started this project it seems to have a good reputation, it’s open source, is widely used on mail servers and was developed by Cisco.

A Sender Policy Framework record is used to indicate to mail exchanges which hosts are authorized to send mail for a domain.  A record is created on your domain host by adding a TXT record type.  Some sources maintain that an SPF record is not strictly necessary and that some large email services such as Gmail will work without one.  However, most validation tools, such as ValiMail will return an error if one is not present and, as takes only a few minutes to create, it’s easier to provide one than not.

Formatting the SPF record

SPF records can be complex, with many switches to perform different functions.  Fortunately for us, our SPF record can be much simpler:

v=spf1 a mx ip4:xxx.xxx.xxx.xxx ~all

For an explanation of these parameters click here.

Next you must enter the value in a TXT record on your domain’s DNS settings1.  In your domain host’s control panel, look for the ability to add CNAME/TXT/SRV records and choose a TXT record type.

1 Some registrars (including Fasthost) still support the now obsolete “SPF” record as well as the recommended “TXT” record.

 Domain Key Identified eMail is a method for validating that the sending system is authorised to do so.  DKIM enhances the reputation of your mail server for mail that you send, and for the sender of incoming mail.

1. Turn DKIM on for incoming mail to validate the sender.  The lack of a DKIM signature lowers the reputation of the sender, possibly resulting in dropped mail.

2. Enable it for your outgoing messages.  That makes the next field mandatory.

3. DKIM selector prefix is  a free text field where the user labels the public key by which their service is validated.  I have used a naming convention of <DiskStation name>-<domain name>.   When you deploy it later, the label will be followed by “._domainkey” so in this example the complete selector is nas3-rrett._domainkey but for now just enter prefix that you want. NOTE:  There are limitations on the characters in your label.  For example, the . and _ characters are not allowed. If your chosen prefix contains invalid characters your domain host will probably not let you save the record.

Enter your chosen prefix.  “default” will be sufficient.

4. DKIM uses RSA validation where there are private and public keys that are matched and validated.  The public key will be required in later steps.  Press Generate Public Key button and accept the warning that the private key will be updated; it needs to be to match the public key.  (If you ever have a need to regenerate the key, the warning is a reminder to update the TXT record in your host’s DNS settings.)  Apply the settings.

5. Next you must enter the public key details to a TXT record on your domain’s DNS settings.  In your domain host’s control panel, look for the ability to add CNAME/TXT/SRV records and choose a TXT record type

At 1, enter the prefix you defined in step 4 above, followed by ._domainkey

At 2, enter the highlighted values manually and then paste the public key. You can copy the values from here:

v=DKIM1;k=rsa;p=

Note 1: In the image shown above, my ISP’s control panel has wrapped the text, which makes it appear to have a line break.  In reality, you must enter the DKIM values and key as one continuous string without line breaks. 

Note 2: The value should be DKIM1 not DKIM.

Save the settings. They should take effect almost immediately. Validate them using MX Toolbox

 Domain-based Message Authentication, Reporting & Conformance is another authentication method which builds on SPF and DKIM.  An unusually plain English (relatively) description of DMARC can be found here.  There’s also a good guide to DMARC value settings here (you need to scroll down, and then some.)

v=DMARC1; p=none; pct=100
 -dmarc.example.com  The prefix to be used in the TXT record on the domain’s DNS Settings, followed by the domain name
 v=DMARC1

 Defines the TXT record as a DMARC item

p=

Defines the policy to apply when a message fails the DMARC checks

none = delivered as normal. quarantine and reject are self explanatory

pct=

The percentage of mails to which DMARC rules will be applied.  With Policy set to none and percentage to 100, all mails will flow.  If we apply a policy such as quarantine, leave the pct at 100 and make a mistake in the overall rule set, 100% of our mail could go to quarantine.  Worse, if we set the policy to reject and pct to 100, all our mail incoming mail could be dropped.  It’s therefore important to reduce the pct value to a really low figure as soon as a policy is introduced.  Better to let some suspicious stuff past the filters at first to make sure mail is flowing.  The quarantine policy can then be introduced with a pct value setting of 5 to 10.  Monitoring of quarantined content will show you whether you need to be more or less aggressive with the pct level.

 

It should come as no surprise that the DMARC record is added to your domain’s DNS settings in Control panel as a TXT record, just as we did earlier for SPF and DKIM records.

The label for the TXT record takes the format:

_dmarc.yourdomain.com

Note: there is an exception to the rule for 1&1 hosted domains.  See image below.  1&1 will take the .dmarc prefix and append your domain name automatically. 

The value is:

v=DMARC1; p=none; pct=100

Save the record and check it is working correctly, as we did for SPF & DKIM records.

DMARC has many additional attributes than can increase its capabilities, including two that combine DMARC with elements of SPF and DKIM respectively, for increased authenticity.

This is one of the simplest of all the security filters to apply. 

There are few mysteries here and for once everything is well defined in the Help System.  These are the settings that seem most sensible to me:

 

I chose to not convert html into plain text.  This may be effective on a simple message with an html tag or two within it but many genuine emails contain so many that they are  impossible to read in plain text format.  I prefer to use the specific tag options to “Make tags ineffective” so that the end user can still read the mail but potentially dangerous tags are deactivated.

The Attachment Filter section contains a list of prohibited file attachment types, that could potentially carry a payload.  For some reason the .exe file type is missing from the list.
Rectifying this omission can be completed in three steps by clicking the Attachment Filter button:

I have not implemented Message Content Protection because:

  1.  Defining rules looks like a tedious and error prone process with some complex masking requirements in some cases. 
  2. Some example rules are given but I could not discover what all of them mean.  For example ex_tw_identify_number has a complex mask that doesn’t match either of the first two candidates that I found from a web search, “Twitter ID” and “Taiwanese ID Number.”  But while researching those, I found a source that states that as of 2016, Spam Assassin is the better way to handle content protection.  I have already activated Spam Assassin so it’s just a case of ensuring the correct filter files are loaded.

 

And Finally…

I hope you found this guide useful. I try to update it when I discover more about the products involved. If you have any comments or better solutions, I’d love to hear from you. You can use the Comments area below or the Contact link in the top menu.

Paul Barrett

Contributors

Scott Parcher, John Greenwood, Ray Jacott, Matt Beardon, André Berends, Dolf Weiner, Christopher A Wichura, James Richards, Marco Panetto, Thorsten Stoeteram, Matt Hall, Kris Kristofferson, Peter Holland, John Henderson, Will Ku, Frans Vindum Tjagvad, Thomas Torpare, Daniel Ellenwood

 

 

  1. Paul Barrett says:

    On my server I have temporarily disabled DKIM authentication because https://mail-tester.com reports the signature is incorrect. I am waiting for Synology Support to respond because I have followed the instructions to the letter and it still does not work.

    mail-tester.com gives a better overall score with DKIM turned off than it does with an incorrect DKIM signature.

    I will update the guide in due course

  2. Paul Barrett says:

    The DKIM issue has been resolved and the guide updated. It was a simple fix. the DKIM value in the TXT record needed to be DKIM1 not DKIM.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>